Table of Contents for
Kali Linux 2 – Assuring Security by Penetration Testing - Third Edition

Version ebook / Retour

Cover image for bash Cookbook, 2nd Edition Kali Linux 2 – Assuring Security by Penetration Testing - Third Edition by Gerard Johansen Published by Packt Publishing, 2016
  1. Cover
  2. Table of Contents
  3. Kali Linux 2 – Assuring Security by Penetration Testing Third Edition
  4. Kali Linux 2 – Assuring Security by Penetration Testing Third Edition
  5. Credits
  6. Disclaimer
  7. About the Authors
  8. About the Reviewer
  9. www.PacktPub.com
  10. Preface
  11. What you need for this book
  12. Who this book is for
  13. Conventions
  14. Reader feedback
  15. Customer support
  16. 1. Beginning with Kali Linux
  17. Kali Linux tool categories
  18. Downloading Kali Linux
  19. Using Kali Linux
  20. Configuring the virtual machine
  21. Updating Kali Linux
  22. Network services in Kali Linux
  23. Installing a vulnerable server
  24. Installing additional weapons
  25. Summary
  26. 2. Penetration Testing Methodology
  27. Vulnerability assessment versus penetration testing
  28. Security testing methodologies
  29. General penetration testing framework
  30. Information gathering
  31. The ethics
  32. Summary
  33. 3. Target Scoping
  34. Preparing the test plan
  35. Profiling test boundaries
  36. Defining business objectives
  37. Project management and scheduling
  38. Summary
  39. 4. Information Gathering
  40. Using public resources
  41. Querying the domain registration information
  42. Analyzing the DNS records
  43. Getting network routing information
  44. Utilizing the search engine
  45. Metagoofil
  46. Accessing leaked information
  47. Summary
  48. 5. Target Discovery
  49. Identifying the target machine
  50. OS fingerprinting
  51. Summary
  52. 6. Enumerating Target
  53. Understanding the TCP/IP protocol
  54. Understanding the TCP and UDP message format
  55. The network scanner
  56. Unicornscan
  57. Zenmap
  58. Amap
  59. SMB enumeration
  60. SNMP enumeration
  61. VPN enumeration
  62. Summary
  63. 7. Vulnerability Mapping
  64. Vulnerability taxonomy
  65. Automated vulnerability scanning
  66. Network vulnerability scanning
  67. Web application analysis
  68. Fuzz analysis
  69. Database assessment tools
  70. Summary
  71. 8. Social Engineering
  72. Attack process
  73. Attack methods
  74. Social Engineering Toolkit
  75. Summary
  76. 9. Target Exploitation
  77. Vulnerability and exploit repositories
  78. Advanced exploitation toolkit
  79. MSFConsole
  80. MSFCLI
  81. Ninja 101 drills
  82. Writing exploit modules
  83. Summary
  84. 10. Privilege Escalation
  85. Password attack tools
  86. Network spoofing tools
  87. Network sniffers
  88. Summary
  89. 11. Maintaining Access
  90. Working with tunneling tools
  91. Creating web backdoors
  92. Summary
  93. 12. Wireless Penetration Testing
  94. Wireless network recon
  95. Wireless testing tools
  96. Post cracking
  97. Sniffing wireless traffic
  98. Summary
  99. 13. Kali Nethunter
  100. Installing Kali Nethunter
  101. Nethunter icons
  102. Nethunter tools
  103. Third-party applications
  104. Wireless attacks
  105. HID attacks
  106. Summary
  107. 14. Documentation and Reporting
  108. Types of reports
  109. The executive report
  110. The management report
  111. The technical report
  112. Network penetration testing report (sample contents)
  113. Preparing your presentation
  114. Post-testing procedures
  115. Summary
  116. A. Supplementary Tools
  117. Web application tools
  118. Network tool
  119. Summary
  120. B. Key Resources
  121. Paid incentive programs
  122. Reverse engineering resources
  123. Penetration testing learning resources
  124. Exploit development learning resources
  125. Penetration testing on a vulnerable environment
  126. Online web application challenges
  127. Virtual machines and ISO images
  128. Network ports
  129. Index

Wireless attacks

One of the distinct advantages to using the Nethunter platform is its size and the ability to be discrete. This is a useful advantage if you are tasked with testing the wireless security of a site while trying to maintain a level of covertness. Sitting in the lobby of a target location with your laptop open and external antenna attached may attract some unwanted attention. Rather, deploying Nethunter on a Nexus 5 phone and having a discrete external antenna hidden behind a newspaper or day planner is a better way to keep a low profile. Another key advantage of the Nethunter platform in conducting wireless penetration testing is the ability to cover a wider area, such as a campus environment, without having to cart around a large laptop.

As we previously discussed in deploying Kali Nethunter, one of the use cases was in wireless penetration testing. In Chapter 12, Wireless Penetration Testing, there are a great many tools and techniques that can be leveraged using Kali Linux. Here we will discuss some of the same wireless attacks using the Nethunter platform.

Wireless scanning

As was discussed in the previous chapter, identifying wireless target networks is a critical step in wireless penetration testing. There are tools that are contained within the Nethunter platform that can perform wireless scanning and target identification. There are also third-party applications that have the added benefit of a user-friendly interface that can often gather the same, or more detailed, information about a possible target network.

Nethunter tools

Nethunter includes the Aircrack-ng suite of tools that was discussed in Chapter 12, Wireless Penetration Testing, and works in the same way from the command line. Here we open up a command shell and type in airoddump-ng to identify potential target networks:

Nethunter tools

Just as in the Kali Linux OS, we are able to determine the BSSID, the channel, and the SSID that is being broadcast.

Third-party apps

To make the process a little more user-friendly, there are several good third-party applications that can be used to identify potential target networks. One such tool is Wifi Analyzer. This tool produces much of the same information as we are able to gather with the Aircrack-ng suite of tools. Here is an example of a scan that was conducted:

Third-party apps

As we can observe, we are able to identify the BSSID, SSID, and the channel that is being used for broadcast. In addition, Wifi Analyzer is able to give a graphic representation of signal strength:

Third-party apps

This is very useful if you are walking in a campus environment. You may be able to zero in on a specific network by observing the signal strength getting weaker or stronger. Being closer to the access point decreases the chance that you will lose the connection halfway through your attack.

Note

As with any third-party applications, make sure you understand what privacy controls and information the application is using.

WPA/WPA2 cracking

As we previously discussed, the Aircrack-ng suite of tools that we examined in Chapter 12, Wireless Penetration Testing, is included with Nethunter. This allows us to perform the same attacks without any modification to commands or technique. Furthermore, we can utilize the same antenna that was used in Chapter 12, Wireless Penetration Testing, along with the external adapter. The following cracking was done against the same access point with the same BSSID that we discussed in Chapter 12, Wireless Penetration Testing. All of this was done with the Nethunter command line.

In the following screenshot, we see the output of this command:

#airodump-ng -c 6 --bssid -w Nethunter
WPA/WPA2 cracking

Aircrack-ng is able to grab the four-way handshake, just like the Kali Linux version. As we discussed in Chapter 12, Wireless Penetration Testing, we can then take this four-way handshake and reverse the passcode using a pre-configured list. For demonstration purposes, the pre-configured list is short. This is the output of the command #aircrack-ng -w wifipasscode.txt -b 44:94:FC:37:10:6E Nethunter-01.cap. This produces the following output:

WPA/WPA2 cracking

Using the Nethunter keyboard may get a bit tedious in terms of cracking the passcode of a target network, but it can be done. Furthermore, this attack is useful in situations where sitting with a laptop and external antenna would draw undue attention. Another useful technique is to use the Nethunter platform to scan and capture the handshake and then transfer the capture file to your Kali Linux platform and then run the cracking program there. This produces the same results, while giving the penetration tester the ability to stay incognito.

WPS cracking

While typing the commands into the Nethunter keyboard can cause a bit of frustration, Nethunter also makes use of the tool Wifite, which we addressed in Chapter 12, Wireless Penetration Testing. This tool allows us to conduct our attack with the simple entering of a number. Open a Kali command shell and type the command wifite, and hit Enter. This produces the following output, as shown in the screenshot:

WPS cracking

As we can see, there are some minor differences with the Nethunter output. There are two WLAN interfaces. This is due to the internal wireless interface and the second being our own external antenna. There is also the P2P0 interface. This is the Android OS Peer-to-Peer wireless interface. We then put our WLAN1 interface into monitor mode by entering in the number 3. The output produces the following:

WPS cracking

As in Chapter 12, Wireless Penetration Testing, we see the same network we tested before. After we stop the scan and enter in the number 15 and then Enter, Wifite runs the same attack as before:

WPS cracking

Looking at the preceding screenshot, we can see that we have come up with the same WPA and PIN for the wireless network "Brenner."

Evil AP attack

The Evil Access Point, or Evil AP, attack is a type of wireless Man in the Middle attack. In this attack, we are attempting to have a target device or devices connect to a wireless access point we have set up that masquerades as a legitimate access point. Our target, thinking that this is a legitimate network, connects to it. The traffic to and from the client is sniffed while it is forwarded to the legitimate access point downstream. Any traffic that comes from the legitimate access point is also routed through our AP that we have set up and again, we have the ability to sniff that traffic.

The following diagram illustrates this attack. On the left is our target's laptop. In the middle is our Nethunter platform. To the right is a legitimate access point with a connection to the Internet. When the target connects to our Nethunter platform, we are able to sniff the traffic before it is forwarded to the legitimate access point. Any traffic from the access point is also sniffed and then forwarded to the client:

Evil AP attack

This is simply a variation on the Man in the Middle attacks we have discussed in the past. What makes this different is that we do not need to know anything about the client or what network they are on, since we will be controlling the network they use. This is an attack that often occurs in public areas that make use of free wireless Internet, such as airports, coffee shops, and hotels.

Mana Evil AP

The tool that we will use in the Nethunter Platform is Mana Wireless Toolkit. Navigate from the Nethunter icon to the Mana Wireless Toolkit. The first page that you are brought to is the hostapd-karma.conf screen. This allows you to configure our Evil AP wireless access point:

Mana Evil AP

The first consideration is that you will need to ensure you have two wireless interfaces available. The Android wireless interface, most likely WLAN0, will need to be connected to an access point with Internet connectivity. This can be controlled by you, or could simply be the free wireless Internet available at our location. The WLAN1 interface will be our external antenna, which will provide the fake access point. Next, you can configure the BSSID to a MAC that mimics an actual access point's. In addition, we can also configure the SSID to broadcast any access-point identification. The other settings involve attacking using the Karma exploit. This is a variation on the Evil AP. (For more information, see https://insights.sei.cmu.edu/cert/2015/08/instant-karma-might-still-get-you.html.) We can leave those as default. In this scenario, we will keep the default settings and navigate to the three vertical dots and hit Start mana. This will start the fake access point:

Mana Evil AP

In the previous screenshot, we can see the Mana Evil AP flushing out cached information and setting up a new access point. If we shift over to a device, we can see the wireless access point SSID Free_Wifi. Also, we are able to connect without any authentication:

Mana Evil AP

Now, in another terminal on the Nethunter platform, we configure our packet capture by configuring a tcpdump capture utilizing the following command:

# tcpdump –I wlan1

This produces the following:

Mana Evil AP

As the device that is connected receives and transmits frames, we are able to sniff that traffic. An additional option that is available is to capture the traffic in the form of a .pcap file and then offload it to view it in Wireshark.

This is a useful attack in public areas of a target organization. Another key aspect to this attack is that more than one target device can connect. It is important to note, though, that if several devices do connect, there is the possibility that the traffic will be noticeably slower to the target. Another technique that can be used leverages this tool and a vulnerability found in a number of mobile devices. Many mobile devices are automatically configured to connect to any previously connected-to network. This automatic connection does not look at the MAC address of a wireless access point, but rather the SSID that is being broadcast. In this scenario, we can call our Mana Evil Access Point a common SSID found at locations. As people pass by, their mobile devices will automatically connect, and as long as they are in range, they are routing their traffic through our device.